BluUBomb exploits the Wii U's bluetooth stack to gain IOSU kernel access via bluetooth.

Not to be confused with BlueBomb for the Wii and Wii Mini.

What does this mean?
This means you can get IOSU code execution by only pairing an emulated Wii Remote to the system.

This should be useful to fix a few softbricks on the Wii U side.
You don't need a working browser or Mii Maker.
if you've messed up with regionhax and can no longer access the browser, BluUBomb can fix this as well.

The BluUBomb repository contains a few different kernel binaries for different purposes:

loadrpx.bin
Launches a launch.rpx from the root of your SD card on the next application launch.

regionfree.bin
Applies IOSU patches to temporarily remove region restrictions.
This should be helpful if you've locked yourself out of your applications due to permanent region modifications.

wupserver.bin
Launches a wupserver instance directly after using bluubomb.
This gets you full system access remotely via wupclient (replace the IP in line 29 with the one of your Wii U).
This works without having to leave the controller pairing screen.

Check out the repository for additional instructions:
https://github.com/GaryOderNichts/bluubomb

The write-up and technical details can be found here:
https://github.com/GaryOderNichts/bluubomb/blob/master/WRITEUP.md

Credits

• GaryOderNichts - bluUbomb
• rnconrad for the WiimoteEmulator
• dimok789 and everyone else who made mocha possible

 

[HackerBoy0412]

Can someone help me? I using Linux in VM and always comes this

Can't write simple pairing mode: Input/output error (5)
Failed to set simple pairing mode
Warning: make sure secure simple pairing mode is disabled
connecting to host...
can't connect to host psm 17: Host is down
couldn't connect
cleaning up...
Can't restore simple pairing mode: Input/output error (5)
Failed to restore simple pairing mode.
But pairing mode is disabled

 

[Jonapika]

Could this method repair Error 160-0103 brick with quickmenu acces?

 

[gamesquest1]

Could this method repair Error 160-0103 brick with quickmenu acces?

with quick start access do you get to load up a game? if so you should be able to use this to then jump into the Homebrew launcher and assuming the tools exist be able to fix the system files causing the system not to boot

 

[GaryOderNichts]

with quick start access do you get to load up a game? if so you should be able to use this to then jump into the Homebrew launcher and assuming the tools exist be able to fix the system files causing the system not to boot

The quick start menu only runs on the Gamepad and isn't connected to the base console at all.
So you most likely can't recover with bluubomb.

 

[testing_this]

Will be an update to bluubomb to make it work with a SSL brick?

(Sorry if I'm bothering you ).

 

[godreborn]

Will be an update to bluubomb to make it work with a SSL brick?

(Sorry if I'm bothering you ).

afaik, it works with any brick that syncing the gamepad is possible. don't know for sure, but that's my understanding. use the virtual box and a linux distro as I was unable to do anything with bluetooth with the wsl version. I think @GaryOderNichts doesn't think it works with that version (not enough privileges).

 

[testing_this]

afaik, it works with any brick that syncing the gamepad is possible. don't know for sure, but that's my understanding. use the virtual box and a linux distro as I was unable to do anything with bluetooth with the wsl version. I think @GaryOderNichts doesn't think it works with that version (not enough privileges).

I'm doing the process on Ubuntu (booted, not vm or wsl). Bluubomb pairs correctly but when I leave the pairing screen on the console it freezes.

 

[godreborn]

not sure, I wasn't even able to get that far due to using wsl. disabling the bluetooth portion didn't work for me on the pc.

 

[GaryOderNichts]

Which payload did you run?
Also any bluetooth controllers won't work after bluubomb was run until you reboot. Make sure you use the gamepad.
Any errors in the terminal?

 

[testing_this]

Which payload did you run?
Also any bluetooth controllers won't work after bluubomb was run until you reboot. Make sure you use the gamepad.
Any errors in the terminal?

I tried arm_kernel_loadfile.bin and arm_kernel_fw_launcher. In both cases the console freezes.

I'm using an SD card formatted to FAT32 and copied these folders / files:

/wiiu/apps
- homebrew_launcher
- mocha (The mod you provided)
- WiiUFtpServer

This is the terminal output:

Can't write simple pairing mode: Input/output error (5)
Failed to set simple pairing mode
Warning: make sure secure simple pairing mode is disabled
listening for connections... (press wii u's sync button)

connected to [mac address]
sent 782
kernel bin sent 0
sent 772
rop sent 0
pivot sent 207
cleaning up...
Can't restore simple pairing mode: Input/output error (5)
Failed to restore simple pairing mode

This is the output when I run hciconfig hci0 sspmode

hci0: Type: Primary Bus: USB
BD Address: [mac address] ACL MTU: 1021:4 SCO MTU: 96:6
Simple Pairing mode: Disabled

I have to run (as root) hciconfig hci0 down; hciconfig hci0 up; hciconfig hci0 sspmode disable to disable Simple Pairing mode (Otherwise it remains Enabled).

I'm using an Intel bluetooth card, previously I used an Atheros card with same results.

Also, If I press the sync button and press back without running bluubomb, it also freezes the console.

 

[GaryOderNichts]

I tried arm_kernel_loadfile.bin and arm_kernel_fw_launcher. In both cases the console freezes.

I'm using an SD card formatted to FAT32 and copied these folders / files:

/wiiu/apps
- homebrew_launcher
- mocha (The mod you provided)
- WiiUFtpServer

This is the terminal output:

Can't write simple pairing mode: Input/output error (5)
Failed to set simple pairing mode
Warning: make sure secure simple pairing mode is disabled
listening for connections... (press wii u's sync button)

connected to [mac address]
sent 782
kernel bin sent 0
sent 772
rop sent 0
pivot sent 207
cleaning up...
Can't restore simple pairing mode: Input/output error (5)
Failed to restore simple pairing mode

This is the output when I run hciconfig hci0 sspmode

hci0: Type: Primary Bus: USB
BD Address: [mac address] ACL MTU: 1021:4 SCO MTU: 96:6
Simple Pairing mode: Disabled

I have to run (as root) hciconfig hci0 down; hciconfig hci0 up; hciconfig hci0 sspmode disable to disable Simple Pairing mode (Otherwise it remains Enabled).

I'm using an Intel bluetooth card, previously I used an Atheros card with same results.

Also, If I press the sync button and press back without running bluubomb, it also freezes the console.

Ah, I see. The crashing is caused by the SSL brick and not by bluubomb.
I'll see if I can make a payload to fix the SSL brick directly.

 

[Xpl0itU]

I tried arm_kernel_loadfile.bin and arm_kernel_fw_launcher. In both cases the console freezes.

I'm using an SD card formatted to FAT32 and copied these folders / files:

/wiiu/apps
- homebrew_launcher
- mocha (The mod you provided)
- WiiUFtpServer

This is the terminal output:

Can't write simple pairing mode: Input/output error (5)
Failed to set simple pairing mode
Warning: make sure secure simple pairing mode is disabled
listening for connections... (press wii u's sync button)

connected to [mac address]
sent 782
kernel bin sent 0
sent 772
rop sent 0
pivot sent 207
cleaning up...
Can't restore simple pairing mode: Input/output error (5)
Failed to restore simple pairing mode

This is the output when I run hciconfig hci0 sspmode

hci0: Type: Primary Bus: USB
BD Address: [mac address] ACL MTU: 1021:4 SCO MTU: 96:6
Simple Pairing mode: Disabled

I have to run (as root) hciconfig hci0 down; hciconfig hci0 up; hciconfig hci0 sspmode disable to disable Simple Pairing mode (Otherwise it remains Enabled).

I'm using an Intel bluetooth card, previously I used an Atheros card with same results.

Also, If I press the sync button and press back without running bluubomb, it also freezes the console.

You forgot to copy the homebrew launcher rpx to the root of the sd and rename it to “launch.rpx” (with no commas)

 

[GaryOderNichts]

You forgot to copy the homebrew launcher rpx to the root of the sd and rename it to “launch.rpx” (with no commas)

Well if the console crashes after exiting out of the sync menu even without bluubomb, it wouldn't get loaded anyways.

 

[Aryamanee]

This will save my Wii u!!!!

Thanks SOOOO MUCH!!

I can't believe I saw this now!!!

 

[GaryOderNichts]

Version 3 is now released!
Changelog:

• Bluubomb now loads kernel binaries from the SD Card.
  This allows for much larger kernel binaries with more possibilities.
• Added wupserver binary (See README or OP for more info).
• The loadrpx binary (previously loadfile) now comes with region free patches and gives every application full cos.xml permissions.
• Removed load fw.img binary.
  Use one of the other methods to recover your console and launch a fw.img with a proper fw launcher.
• Don't set SSP mode if it's already disabled to avoid a warning (thanks @linkmauve).

Refer to the README for updated instructions.

-------------------------------------------------

@testing_this Can you try to fix your SSL brick with the wupserver binary? If you don't have an internet connection set up, I'll come up with something else.

 

[testing_this]

Version 3 is now released!
Changelog:

• Bluubomb now loads kernel binaries from the SD Card.
  This allows for much larger kernel binaries with more possibilities.
• Added wupserver binary (See README or OP for more info).
• The loadrpx binary (previously loadfile) now comes with region free patches and gives every application full cos.xml permissions.
• Removed load fw.img binary.
  Use one of the other methods to recover your console and launch a fw.img with a proper fw launcher.
• Don't set SSP mode if it's already disabled to avoid a warning (thanks @linkmauve).

Refer to the README for updated instructions.

-------------------------------------------------

@testing_this Can you try to fix your SSL brick with the wupserver binary? If you don't have an internet connection set up, I'll come up with something else.

Thank you so much for helping me out. @GaryOderNichts

Sadly the console isn't connected to WiFi. Maybe I can look for a USB ethernet adapter?

Terminal output:

listening for connections... (press wii u's sync button)
connected to [mac address]
sent 803
kernel bin sent 0
sent 772
rop sent 0
pivot sent 207
cleaning up...

 

[GaryOderNichts]

Thank you so much for helping me out. @GaryOderNichts

Sadly the console isn't connected to WiFi. Maybe I can look for a USB ethernet adapter?

Terminal output:

listening for connections... (press wii u's sync button)
connected to [mac address]
sent 803
kernel bin sent 0
sent 772
rop sent 0
pivot sent 207
cleaning up...

Ah okay. A LAN Adapter sadly won't work since you need to set it up in system settings.
I'll make a kernel binary that just copies the certificate from the SD Card to the correct location.
That should be everything needed to fix the SSL brick, I think?

 

[testing_this]

Ah okay. A LAN Adapter sadly won't work since you need to set it up in system settings.
I'll make a kernel binary that just copies the certificate from the SD Card to the correct location.
That should be everything needed to fix the SSL brick, I think?

That should work. Here's a tutorial I found for fixing the module (when you have access to the web browser/hbl) https://gbatemp.net/threads/unbrick-wii-u-ssl-module.477793/

 

[GaryOderNichts]

That should work. Here's a tutorial I found for fixing the module https://gbatemp.net/threads/unbrick-wii-u-ssl-module.477793/

I don't think completely reinstalling the title is necessary. It should be enough to simply copy the original certificate to "
/vol/storage_mlc01/sys/title/0005001b/10054000/content/scerts/CACERT_NINTENDO_CA_G3.der"-

 

[GaryOderNichts]

Alright so here is a binary which copies a file named "cert.der" from the root of your SD card to the correct certificate path.
You can get the original cert from the decrypted NUS title or if you have a backup.
So what you need to do:
- extract the attached .zip
- rename the "ssl_unbrick.bin" to "bluu_kern.bin" and copy it to the root of the SD
- rename the cert to "cert.der" and copy it to the root
- power on your Wii U
- run bluubomb
- wait

Once finished successfully the console will reboot. If it fails it will power off without rebooting.
Let me know how it goes.